Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML Logout not sending correct NameID in Logout Request #7194

Closed
rhoerbe opened this issue Jun 8, 2017 · 0 comments · Fixed by #17860
Closed

SAML Logout not sending correct NameID in Logout Request #7194

rhoerbe opened this issue Jun 8, 2017 · 0 comments · Fixed by #17860
Assignees
@pierre-lehnen-rc

Comments

@rhoerbe
Copy link

rhoerbe commented Jun 8, 2017

Rocket.Chat Version: 0.56
Running Instances: 1
DB Replicaset OpLog:
Node Version: 4.5

Sending a LogoutRequest to a Shibboleth IDP results a "Unknown Principal" error response. The reason is that Shibboleth cannot match the NameID from the LogoutRequest with that from the Assertion. I think that meteor is sending a broken NameID in the LogoutRequest:

<samlp:LogoutRequest
    Destination="https://idp5.test.portalverbund.gv.at/idp/profile/SAML2/Redirect/SLO"
    ID="_dbfc10f2b2b46dd43843" IssueInstant="2017-06-08T13:34:12.761Z"
    Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://test.ucom.gv.at/_saml/metadata/sp</saml:Issuer>
    <saml:NameID
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        NameQualifier="http://id.init8.net:8080/openam"
        SPNameQualifier="https://test.ucom.gv.at/_saml/metadata/sp" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">_580bc21719460de9960e40bf07148457</saml:NameID>
    <samlp:SessionIndex xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">_580bc21719460de9960e40bf07148457</samlp:SessionIndex>
</samlp:LogoutRequest>

When looking at the assertion I find a different NameQualifier and NameID.

    <saml2:Assertion ID="_f59fb807deba37a83b1fec542d87309b"
        IssueInstant="2017-06-08T13:24:14.140Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer>https://idp5.test.portalverbund.gv.at/idp.xml</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID
                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                NameQualifier="https://idp5.test.portalverbund.gv.at/idp.xml"
                SPNameQualifier="https://test.ucom.gv.at/_saml/metadata/sp" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">test@bmspot.gv.at</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData Address="81.217.70.83"
                    InResponseTo="5DLAKSbj7Eu7vr2Gr"
                    NotOnOrAfter="2017-06-08T13:29:14.272Z" Recipient="https://test.ucom.gv.at/_saml/validate/sp"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
...

Expected behaviour: The NameID in the LogoutRequest should match the NameID from the Login.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pierre-lehnen-rc pierre-lehnen-rc

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[FIX] SAML LogoutRequest sending wrong NameID RocketChat/Rocket.Chat
3 participants
@Hudell @rhoerbe @pierre-lehnen-rc